Apple Issues Mega Security Update

Computer maker Apple Wednesday released a security update to fix more than a dozen flaws in the Jaguar
and Panther versions of its flagship Mac operating system.

Apple Wednesday released patches for more than a dozen flaws in the Jaguar and Panther versions of the Mac operating system.

According to an advisory from Apple, the most
serious flaw could permit remote attackers to execute arbitrary code and potentially take over a user's system.

The mega patch fixes holes in several components of Max OS X, including CoreFoundation, IPSec, and the Kerberos 5 authentication system, which MIT recently patched.

Apple also included fixes for its Safari browser along with patches for components like libpcap, lukemftpd, NetworkConfig, OpenLDAP, OpenSSH, PPPDialer, rsync and tcpdump.

Apple said the CoreFoundation fix adds validity check to environment variables that could be manipulated to cause a buffer overflow.

"By manipulating local environment variables, a program could potentially be leveraged by a local attacker to execute arbitrary code," the company warned.

The company said that Mac users were not at risk of the more serious Kerberos flaw, noting, "The buffer overflow can only
be exploited if 'auth_to_local_names' or 'auth_to_local' support is also configured in the edu.mit.Kerberos file. Apple does not enable this by default."

In the Safari browser, Apple patched a hole that could allow an untrusted Web site to inject content into a frame
intended to be used by another domain.

"A web site that uses multiple frames can have some of its frames replaced
with content from a malicious site if the malicious site is visited first. The fix imposes a set of parent/child rules
preventing the attack," the company said.